I've created a medium-sized web-based automation project for a university (VS2010,C#,ASP.NET,SQL Server 2008), now they have asked me to give some proposals in order to increase site security, what can I tell them? what are my options? encrypting the data? changing the passwords periodically? what else can I do? of course I know security is not a couple of codes that can simply be added to a huge program, but I'm searching for general approaches that can be pursued in order to increase security, any suggestion would be highly appreciated
thanks
Here is a good set of articles that you may want to take a look at that may start you off in the right direction.
Please also have a look into this MSDN Magazine article on ASP.NET Security: http://msdn.microsoft.com/en-us/magazine/hh580736.aspx.
Related
I am new and I am not sure if this is a place to ask this question.
I developed a web site alone using wordpress framework.
Now, I got a guy who I don't know much to join me to develop the site. We live in different countries and we decide to use Bitbucket for code management.
I do not have any experiences in team working, Bitbucket.
My concerns are:
1. Do I need to upload both source code and database to Bitbucket?
Do you think he will just take all the source code and database and make his own website and become my competitor?
What should I be careful when working in a team? I mean sharing code.
I know maybe I am quite small-minded. I am worried about security problems.
But definitely, I need to have someone to work with me to develop the site.
Please advice and write any sources that are useful for this problem.
Thank you.
I'm not an expert in Wordpress, but the concept still applies:
Source code: yes. Database: no, only the database schema/ SQL scripts to recreate it.
Depends on his ethics. You should reach an agreement with him that guarantees that he won't do so, by writing a contract for example.
Take the following into consideration: coding standards, conventions are followed in naming variables, pages, urls, etc, repository privacy is set correctly, repository privileges are distributed to enable the contributors to do only what they're supposed to do.
I'll leave the rest to you and other fellows on this website to figure out depending on your experience :)
Does anyone know where I can find the System Architecture Diagram for reddot?
I know they are now Web Solutions Group. If someone can retag this so it makes more sense that would be appreciated also.
Thank you.
The first place to check is the OpenText Knowledge Center. Unfortunately you need to set up an account with OpenText to use the KC (and my guess is that you don't have an account).
This SO thread requests RedDot resources; hopefully one of them will be of use to you.
I personally don't have what you're looking for (I work with OpenText's Alchemy).
EDIT:
Here's a link to the RedDot product page (OpenText account required):
OpenText Web Site Management (RedDot)
I'm a experienced .NET developer, but I havent done much webdevelopment and particularly not a new site from scratch.
Now am I thinking of building a site for one of my hobbies. I realize that much of the functionality I need has already been bulit and hopefully released as opensource. My wish is to find a skelletton for my site with the basic functionality to bulid upon. That will leave the specific and fun parts to me....
I wishlist:
- One logon for the site.
- User profiles.
- Possibility for users to contribute with articles, pictures, links etc.
- Leave comments for articles.
- Generate feeds.
- Build the site using ASP.NET MVC
Can anyone point me in the right direction? Where do I start?
I hesitated writing this answer because it might come across as flippent or deliberately unhelpful.
However, I cannot recommend highly enough the tutorials and examples on the MVC site; especially the NerdDinner example app and walkthrough (not sure if it's been updated for MVC2 though).
As developer for developers ;) check this http://kigg.codeplex.com/ I think it's exactly what you need. Live sample here dotnetshoutout.com
Enjoy :)
Hi Malcolm what you need has been implemented many times. If you need to start from scratch for the learning experience I would recommend the ASP.Net MVC Membership Starter Kit (http://mvcmembership.codeplex.com/) it would handle user accounts and profiles for you (read up on ASP.Net membership if you are unfamiliar with it).
If you don't need to start from scratch I would recommend looking at a CMS or blogging system depending on your specific requirements as there is no point in reinventing the wheel unless you really have to or want to learn.
Edit
Have a look here:
http://www.microsoft.com/web/gallery/Categories.aspx?category=Blogs
and
http://www.microsoft.com/web/gallery/Categories.aspx?category=ContentMgmt&appid=BlogEngineNET
I am not up to date with MVC blog engines but I know there isn't too many CMS's around that would compete with more mature ASP.Net alternatives.
I hope this is helpful.
Thanks,
B
check out http://www.orchardproject.net/. But you may find some liter alternatives for your specific needs. Or you can possibly combine a couple of codeplex projects to get to where you want to be.
As stated above I would recommend going through the nerd dinner tutorial again. Also the nerd dinner code hosted at codeplex has been updated to Asp.net MVC 2.0, and is a great reference to many of the new features. Burt mentioned the MVC Membership Starter kit (http://mvcmembership.codeplex.com/), I have personally tinkered with this, and it saves hours upon hours of time by automagically implementing authentication and role management built on a standardized db schema easily generated by a tool found in the framework 2.0 files somewhere.
Hi i am trying to build a website usign ASP.NET what is the best resource or way to learn it?
Also do i need DotNetNuke or something similar to manage my project?
Thanks in advance.
I highly recommend staying far, far away from DotNetNuke, or any CMS for that matter. If your goal is to learn the language then getting tangled up in a [horrible] CMS will only make it harder on you.
IMO, DotNetNuke would be overkill and will likely confuse you more than help as they have implemented many advanced designs to make it as modular as possible. I.e., it will not be clear why they are doing things the way they are.
The simplest means to learn is to do it. Create a regular ASP.NET site for some personal or non-critical purpose. In terms of resources, there are plenty on the Internet of course beyond search. Here are a few:
ASP.NET
MSDN Magazine
Scott Guthrie's blog
In addition to stuff on the Internet, I would read lots of books. You can either purchase them individually or you could look at an online resource which allows you read many such as Books 24x7 or Safari Books
The official site is a good start: http://www.asp.net/
The best way to learn is to do. Begin a website, and when you run into a problem you can't fix or figure out, check here or the sites others mentioned. I find books useful as references while I am working on a project but not as useful for reading straight through.
I also like www.codeproject.com when I am stuck.
DotNetNuke is an open source Content Management system (CMS). I would first learn ASP.Net. Try creating some sample web sites. As Thomas has rightly pointed out that DotNetNuke is an overkill.
I am looking for a very insecure ASP.NET application. Ideally i'm looking for an application that was written by a noob who has made a lot of security mistakes. If the app has a MS-SQL back-end that would be a bonus. I know of two cool projects for PHP and J2EE which fill my needs. Do you know anything like this for ASP.NET?
Hacme Bank is a pretty good example from Foundstone of what not to do. It's an older example, written in .NET 1.1 against SQL 2000, but covers most of the common vulnerabilities found in web applications.
I know one... there's a business near where I live, and I refuse to join their loyalty program because I accidentally stumbled across a SQL injection vulnerability on their site. I can't tell you who it is though, because they're a real business and I'm sure they don't want your students to hack them.
Why not write your own? Maybe start a codeplex project called LearnSecurity, which has a combination of pages - some which use bad security practices and some which don't.
Yes, as Rob suggested ... you could make a couple of pages ... on the first get the input from a field and execute it against the database :) On the second, just get some text from the db that contains javascript alert or something and render it directly on the page :) Just an idea ...
You can search the vulnerabilities databases, like NISTs one.